diff options
-rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 3 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 36 |
2 files changed, 37 insertions, 2 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index fd4c2aff9..81e96e66f 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -25,4 +25,7 @@ func main() { log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams)) log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams)) log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams)) + + log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams)) + log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index bf275c1ca..ac84d8f1c 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -6,7 +6,9 @@ import ( ) const ( - disabledPort = 0 + portDisabled = 0 + portLowest = 1 + portHighest = 65536 ) // IsBasicAuthFileAbsent validates there is no basic authentication file specified. @@ -45,7 +47,7 @@ func IsKubeletHTTPSConnected(params []string) bool { // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled). func IsInsecurePortUnbound(params []string) bool { - return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params) + return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params) } // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false". @@ -93,3 +95,33 @@ func splitKV(s, sep string) (string, string) { ret := strings.SplitN(s, sep, 2) return ret[0], ret[1] } + +// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address. +func IsInsecureBindAddressAbsentOrLoopback(params []string) bool { + return isFlagAbsent("--insecure-bind-address=", params) || + hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params) +} + +// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value. +func IsSecurePortAbsentOrValid(params []string) bool { + return isFlagAbsent("--secure-port=", params) || + hasFlagValidPort("--secure-port=", params) +} + +// hasFlagValidPort checks whether selected flag has valid port as an argument in given command. +func hasFlagValidPort(flag string, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + port, err := strconv.Atoi(value) // what about empty parameter? + if err != nil { + return false + } + if port < portLowest || port > portHighest { + return false + } + return true +} |